Please note the following closure timeline for this program:
- Submissions disabled: 21st January 2020
- Program shutdown: 23rd January 2020
Security is one of the most important pillars in enabling UiPath's Vision to
reboot work, accelerate human achievement and provide a robot for every
person. With this disclosure program, UiPath relies on the expertise of
HackerOne's ethical hacker community to find vulnerabilities in our RPA
Platform and surrounding ecosystem in order to keep our customers, partners
and community users safe from malicious activities. We expect you to comply
with the rules presented on this page, acquire a comprehensive understanding
on how our platform components and ecosystem work together and submit quality
reports if you notice any issue.
- To receive credit, please provide detailed reports with reproducible steps including platforms, operating systems, versions, IP addresses, URLs, or logs .
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- Multiple vulnerabilities caused by one underlying issue will be considered as one.
- Social engineering or any activity that could lead to social engineering or denial of service (DoS) (e.g. phishing, vishing, smishing) is prohibited.
- Only interact with accounts you own or with explicit permission of the account holder and don't jeopardize any UiPath or customer data.
- Injection attempts (any executable code, file, etc that can be executed on the server side and delivered/injected through the Web interface or API) via attacks such as SSRF will not be considered of high value unless demonstrating a vulnerability and injection results in changes to the application's behavior that UiPath considers harmful for our customers or arbitrary code is able to run on a non-local/remote machine.
- Your testing must not violate any law or disrupt or compromise any data that is not your own.
Encouraged areas of focus
- Vulnerabilities in the implementation of Orchestrator and Robot that will permit escalation of privileges and perform out of rights/bound actions on Orchestrator.
- With just the knowledge of public domain information about UiPath and its employees, enumerate all publicly discoverable/accessible service end-points for UiPath.
- Enumerate/Discover management level secrets such as passwords.
- Gain control over the Orchestrator machine(s) in an on-premise scenario where the threat actor (malicious entity) is not a provisioned user on Orchestrator at application layer or OS level but is able to join the network on which robot and Orchestrator is deployed.
- Using manual analysis or tools of your choice (disclosed to UiPath if possible), conduct an objective evaluation of the Orchestrator application against OWASP Top 10 2017 Application Security Risks & CWE/SANS Top 25 Most Dangerous Software Errors.
- Via interactive methods or access through APIs, inject or upload executable code into Orchestrator application that eventually runs itself.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario /
exploitability, and (2) security impact of the finding. The following issues
are considered out of scope:
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Previously known vulnerable libraries without a working Proof of Concept.
- Cookie issues relating to samesite/secureflag/Httponly.
- Password policy and password lockout related issues.
- User enumeration.
- Use of zero day exploits in third-party software.
- Reports of missing best practices in SSL/TLS configuration.
UiPath will make best efforts to respond to hackers participating in this
Program within 5 business days. We’ll try to keep you informed on the progress
of the issue validation process.
- You must comply with all applicable laws in connection with your participation in the Program.
- You agree that you shall not, without the prior written consent of UiPath in each instance (i) use in advertising, publicity or otherwise the name of UiPath or any trade name, trademark, trade device, service mark, symbol or any abbreviation, contraction or simulation thereof owned by UiPath, (ii) represent, directly or indirectly, any service or work provided by you as approved or endorsed by UiPath, (iii) publicly disclose vulnerability details at any point in time. In the case of written consent from UiPath for disclosure of vulnerabilities after remediation, you shall follow HackerOne's disclosure guidelines (https://www.hackerone.com/disclosure-guidelines __). In the event of a conflict prior to or after remediation, this policy supersedes HackerOne’s guidelines.
- You agree that any and all information acquired or accessed by you under this Program is confidential to UiPath (“Confidential Information”) and you shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give or disclose Confidential Information to third parties or use it for any purposes other than for the performance of your work within the Program.
- You agree to (i) contact us immediately if you inadvertently encounter user data and (ii) not view, alter, save, store, transfer, or otherwise access any user data, and (iii) immediately purge any local information upon reporting the vulnerability to UiPath; You will act in good faith to avoid privacy violations, destruction or corruption of data, and interruption or degradation of our services (including denial of service).
- You acknowledge and agree that any and all information you encounter is owned by UiPath or its third party providers, customers or partners. You have no rights, title or ownership to any information that you may encounter.
- You agree to access and use the UiPath software and services in accordance with their licensing terms. When you action under this Program, you are also bound by this Policy. If there are any conflicts between this Policy and the licensing terms, this Policy will prevail to the extent of the conflict.
- UiPath reserves the right to inform its customers about any found vulnerability that might affect their deployments and take a reasonable amount of time to assure that they have applied the fix before disclosing it publicly. Please note that we may not disclose publicly specific vulnerabilities even after they are fixed if that would affect the core of our business.
- Accessing, interfering or otherwise tampering with any cloud infrastructure or networks hosting the UiPath applications (Microsoft Azure) is not allowed. However, any vulnerability discovered by accidental, good faith violations of this Policy should be reported to Microsoft within 24 hours in accordance with and by following the Microsoft Penetration Testing Rules of Engagement and Reporting (https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement __). You will also notify UiPath in regards to any finding at the same time to any submission to Microsoft.
- Decision making in regards to this Program is ultimately up to UiPath’s sole discretion, including modifying or terminating the Program and the Policy at any time.
Any activities conducted in a manner consistent with this Policy will be
considered authorized conduct and we will not initiate legal action against
you. If legal action is initiated by a third party against you in connection
with activities conducted under this policy, we will take steps to make it
known that your actions were conducted in compliance with this policy to the
extent this is true.
Thank you for helping us keep UiPath and our customers, partners and community
Out of Scope
This program have been found on Hackerone on 2019-09-11.